Hi,
it's mostly a question out of curiosity but maybe useful for some people.
I wonder if there is a way to prevent a direct piping from curl to bash using SELinux.
And of course one can download a file and then run bash on it, but a simple rule that prevents direct piping would at least give a heads up about it.
On 10/16/2018 11:15 AM, Sheogorath wrote:
Hi,
it's mostly a question out of curiosity but maybe useful for some people.
I wonder if there is a way to prevent a direct piping from curl to bash using SELinux.
And of course one can download a file and then run bash on it, but a simple rule that prevents direct piping would at least give a heads up about it.
sounds not like something I would implement. And you don't give much context to your situation.
What do you like to prevent? Stop users with root-shells to execut arbitary shell scripts obtained by curl?
- Thomas
On October 17, 2018 10:00:53 AM GMT+03:00, Thomas Mueller thomas@chaschperli.ch wrote:
On 10/16/2018 11:15 AM, Sheogorath wrote:
Hi,
it's mostly a question out of curiosity but maybe useful for some
people.
I wonder if there is a way to prevent a direct piping from curl to
bash
using SELinux.
And of course one can download a file and then run bash on it, but a simple rule that prevents direct piping would at least give a heads
up
about it.
sounds not like something I would implement. And you don't give much context to your situation.
What do you like to prevent? Stop users with root-shells to execut arbitary shell scripts obtained by curl?
It's a common idiocy we (sysadmins) face in the web world: programmers need "something" and find a tutorial which instructs them to download some bundle which self-installs via the infamous mantra under discussion in this thread. Obviously preceded by a sudo (because why not ?)
Wolfy
On Tue, Oct 16, 2018 at 02:15:39AM PDT, Sheogorath spake thusly:
I wonder if there is a way to prevent a direct piping from curl to bash using SELinux.
No good way to prevent it. If they can install software they can do it. Don't install curl. Monitor for process executions. I have auditd log execs. Anytime someone runs curl or wget in our production environment something's up.
On 10/17/2018 11:13 AM, Tracy Reed wrote:
On Tue, Oct 16, 2018 at 02:15:39AM PDT, Sheogorath spake thusly:
I wonder if there is a way to prevent a direct piping from curl to bash using SELinux.
No good way to prevent it. If they can install software they can do it. Don't install curl. Monitor for process executions. I have auditd log execs. Anytime someone runs curl or wget in our production environment something's up.
chmod 700 $(which curl)
but a selinux policy preventing those exact pipe invocations would be interesting
selinux@lists.fedoraproject.org
-
Manuel Wolfshant -
Sheogorath -
Thomas Mueller -
Tracy Reed